In modern cryptography, many widely-used and market-mandated algorithm implementations have been already published. Designing secure algorithms does not in itself provide the required security. Security is derived from implementation of the algorithm and the associated key material.
Random data is a cornerstone of cryptographic system design. Cryptographic toolkits leverage random bit generators to provide the basis not only for symmetric/asymmetric keys but also for nonces/salts, password generation, key agreement parameters, and a host of other functions. (A “nonce” is an arbitrary number used in cryptographic communication. A “salt” is random data that are used as additional input to a function that hashes a password.) Random bit generation can be the weak link in the implementation of cryptography. A weak source of random bits can lead to a weak key, which leads insecure data.
The challenge is that generating statistically random bits is difficult. The output should be as unpredictable as possible. From a security perspective, the random bit generation mechanism should be uncontrollable and undecipherable by an adversary.
Further, the unpredictability of the random data generation method should be measured to provide some level of assurance that “true” randomness is achieved. True randomness means there is no discernable or predictable pattern of generated bits, and that each bit generated has no dependency or relationship to the previously generated bit.
In computing, entropy is the randomness collected by an operating system or application for use in cryptography or other uses that require random data. Government standards exist for cryptographic applications, including standards related to entropy. According to National Institute of Standards and Technology (NIST) Entropy Source Guidelines SP800-90B, the only way for a seed value to provide real security is for it to contain a sufficient amount of randomness, i.e., from a non-deterministic process referred to as an entropy source. And ideally, it should be measurable.
What is needed is the cryptographic secure implementation of a Pseudo Random Number Generator (PRNG) architecture based on existing algorithms, but providing improvements thereupon for gathering and measuring entropy. These solutions should be adapted to a variety of computing and communicating devices, including mobile devices.